Securing the HIPAA Security Rule


Both patients and health care providers have much to gain from the electronic processing of health data. Its advantages include speed, efficiency, and flexibility of information processing, which can result in long-term cost savings and improved patient outcomes. Unfortunately, many of the positive attributes of medical record computerization enable the operation of a market in illicitly-obtained private health information. The Internet provides a nearly ideal channel for trafficking in health information because it allows data to be transmitted anywhere in the world quickly, inexpensively, and with relatively little risk of detection.

The threat to data security associated with the electronic storage and transmission of health information is serious enough that it has merited regulatory intervention, which came in the form of the HIPAA Security Rule, promulgated as part of the HIPAA Privacy Rule on April 20, 2005. Based on a close reading of the Security Rule and on empirical evidence, we argue that the Rule has thus far fallen far short of fulfilling its goal of safeguarding the security of electronic health information. This article briefly describes the provisions of the Security Rule and then offers a critique of it. It details the Rule's major shortcomings, emphasizing the many ways in which it fails to provide meaningful compliance guidance to covered entities. The article also develops recommendations for revisions to the Rule, focusing on a proposed "best practices" standard.


HIPAA, HIPAA Security Rule, Health Data, Data Security, Internet, Health Privacy

Publication Date


Document Type


Place of Original Publication

Journal of Internet Law

Publication Information

10 (8) Journal of Internet Law 1 (2007)

This document is currently not available here.


COinS Sharona Hoffman Faculty Bio